#include <abstractions/nameservice>
#include <abstractions/wutmp>
/etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
+@@ -74,10 +73,11 @@
+ capability ipc_lock,
+
+ # allow processes in the guest session to signal and ptrace each other
+- signal peer=@{profile_name},
+- ptrace peer=@{profile_name},
+- # needed when logging out of the guest session
+- signal (receive) peer=unconfined,
++ # this doesn't work with the current Debian apparmor
++ #signal peer=@{profile_name},
++ #ptrace peer=@{profile_name},
++ ## needed when logging out of the guest session
++ #signal (receive) peer=unconfined,
+
+ # silence warnings for stuff that we really don't want to grant
+ deny capability dac_override,
+--- a/data/apparmor/abstractions/lightdm_chromium-browser
++++ b/data/apparmor/abstractions/lightdm_chromium-browser
+@@ -8,6 +8,7 @@
+ # provided in abstractions/lightdm, this abstraction must be separate from
+ # abstractions/lightdm.
+
++ /usr/lib/chromium/chromium Cx -> chromium,
+ /usr/lib/chromium-browser/chromium-browser Cx -> chromium,
+ /usr/bin/webapp-container Cx -> chromium,
+ /usr/bin/webbrowser-app Cx -> chromium,
+@@ -53,6 +54,7 @@
+
+ /selinux/ r,
+
++ /usr/lib/chromium/chrome-sandbox ix,
+ /usr/lib/chromium-browser/chromium-browser-sandbox ix,
+ /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
+ /opt/google/chrome-*/chrome-sandbox ix,